You need to update Comment Guestbook or remove it from your website at once. The latest version is 0.8.5 which was released on November 2, 2018. If you don’t update your plugin or disable commenting feature, then you might be vulnerable to XSS attack. You must be thinking that how can you be vulnerable to XSS attack in a comment system when it is not even a critical vulnerability. The reason is that Comment system is highly dependent on WordPress core code as well as third-party plugins. So, if any vulnerability is found in any of the plugin or core code, then it can be exploited by hackers in Comment system.

How to detect Comment Vulnerability Using WordFence?

Step 1: Update the Comment Guestbook plugin to the latest version.
Step 2: Navigate to ‘WordFence > WordPress Security’ in your WordPress dashboard.
Step 3: In the left sidebar, click on ‘Vulnerabilities’.
Step 4: Select the ‘Comment guestbook vulnerability’ option and click on 'Scan'.

WordPress Core Vulnerability

The core WordPress vulnerability is CVE-2018-7487. It affects the WordPress REST API because it lets malicious users inject and execute arbitrary PHP code with the privilege of super user in a website running WordPress. The exploit is possible because the function used to validate requests can be set to use only specific IPs or domains.
Affected functions:
wp_rest_api_is_valid_request
wp_rest_api_create
wp_rest_api_response
So, by exploiting this vulnerability, hackers can insert their own PHP code into your website without prior user consent. They can also insert their own scripts into your site's admin dashboard which would be executed if someone visits the page.

How to Check If You’re Vulnerable to XSS Attack in WordPress

The easiest way to check if you are vulnerable to XSS attack is by using WPScan tool. This tool would scan your website and provide the list of plugins that can be exploited in Comment system. You can also find out more about the vulnerability and its impact by clicking on “More info” button.
If you have updated your Comment system but it’s still vulnerable to XSS attack, then you must remove it from your website instantly. Otherwise, hackers might exploit it soon and cause serious damage to your site or company.

Installation and Setup of Comment Guestbook

The installation and setup of Comment Guestbook is quite straightforward. You just need to go through the following steps:
1) Download and install the plugin from WordPress.org
2) Activate the plugin
3) Connect with your site's database
4) Create a new database table for storing comments
5) Set up database permissions for Comment Guestbook
6) Create a user account for managing comments and change its password
7) Add your desired fields to comment form

What is XSS?

Cross-Site Scripting (XSS) is a type of computer code injection that can be leveraged to inject malicious scripts into otherwise benign websites. The term "script" refers to any programming language and can refer to client-side or server-side scripts. The risks of XSS attacks are especially serious in online environments where users submit text, such as comment fields, contact forms, blog entries, and social media posts.
This vulnerability allows hackers to change the content in your website without your knowledge and send it to target visitors. When hacked, you may be leading other visitors on a phishing scam or lead them on an attack against your site.

Timeline

Published on: 09/30/2022 17:15:00 UTC
Last modified on: 10/04/2022 16:43:00 UTC

References